“We believe email is fundamentally broken in its current architecture.”
That’s the CEO of Silent Circle, a former and hopefully future provider of secure cloud-based email, talking about the Dark Mail Alliance project that Silent Circle and Lavabit are working on.
Lavabit suddenly shut down with little explanation and no warning in August. It became clear that the U.S. Government had imposed hopeless conditions: turn over all customer data while hiding that fact from all customers, or go to jail. Lavabit’s founder Ladar Levison described the government demands as requiring him to become “complicit in crimes against the American people”, and went to to say in an interview, “If you knew what I know about email, you might not use it.” Silent Circle shut down its email service a few days later. In Learning Tree’s Cloud Security Essentials course we discuss government coercion of cloud providers and point out that there was plenty to worry about before the Snowden revelations.
But new plans are underway, and they involve using cloud resources to provide security.
SMTP or Simple Mail Transfer Protocol, what your email tool uses to send a message to your provider’s server, and what servers use to relay messages to their destination, was designed back in 1982 [RFC 821] and last revised in 2008 [RFC 5321]. You can encrypt the message contents, if you have the technical background and caution to install and use a cryptographic plugin like GnuPG, and if you have the public key for your correspondent. I have the technical background and interest in security, but I have exchanged public keys with just a handful of the many people I communicate with via email.
Even in the rare cases where we can encrypt the content in both directions, the SMTP headers or “metadata” (there’s a technical term many people learned with the past year!) remains in cleartext, to be surveilled at every SMTP relaying server and every compromised router on the backbone. Who knows what lists I’m on for exchanging encrypted emails with Canadians.
It’s time for a new architecture, and the Dark Mail Alliance looks very promising.
Public-key cryptography is involved, of course. Every user has a key pair, the private key is installed on all their access devices and the public key is stored in the cloud. A crucial aspect of the proposed architecture will be splitting the message from the metadata.
The Dark Alliance whitepaper isn’t out yet, but it looks like every message will be encrypted using symmetric encryption with a randomly chosen session key. A protocol like XMPP will deliver what they’re calling a short “routing message”. That message, encrypted with the receiver’s public key (so only they can read it), will tell their software the URL from which to retrieve the encrypted message and the key to decrypt that message.
It sounds good so far, I’m looking forward to their whitepaper!